SFTP and cipher strength

I set up a SFTP server on Vultr a few months ago. No issues with it and everything is fine. The vendor that is going to be connecting to it to send us files sent an email stating they don't support the ciphers that it is using until end of 3rd quarter in 2018.

From them: Our client supports AES128, AES192, and AES256 but does not work with the “-CTR” ciphers. The new version of our client “should” work with the “-CTR” ciphers, but will not be available until about 3rd quarter in 2018. So, unless the customer can enable standard AES ciphers, you’ll have to try FTPS or some other available method. Can you enable the standard AES ciphers on your sftp server? Please advise. Thanks!

I am guessing they are running outdated client software. I can connect just fine with WinSCP and other clients. Is there a way to add the older ciphers to Fedora? This company is always behind on everything. They never told me they needed anything other than an SFTP server. Very frustrating.

@jaredbusch I can see in the ssh_config and sshd_config files where the ciphers are listed but they are commented out. In fact, most of the lines in the files are commented out. I am struggling to find where it is actually getting its config from. I'll keep poking at it.

@jaredbusch I can see in the ssh_config and sshd_config files where the ciphers are listed but they are commented out. In fact, most of the lines in the files are commented out. I am struggling to find where it is actually getting its config from. I'll keep poking at it.

They are coming it out because it’s simply using default which is what should be coming it out on commenting those should have no change in your behavior. So you’ll end up modifying those lines and I’m commenting them to get the end that you desire.

Driving down the road the moment otherwise I would try to get you some screenshots

@jaredbusch I can see in the ssh_config and sshd_config files where the ciphers are listed but they are commented out. In fact, most of the lines in the files are commented out. I am struggling to find where it is actually getting its config from. I'll keep poking at it.

They are coming it out because it’s simply using default which is what should be coming it out on commenting those should have no change in your behavior. So you’ll end up modifying those lines and I’m commenting them to get the end that you desire.

Driving down the road the moment otherwise I would try to get you some screenshots

@jaredbusch I can see in the ssh_config and sshd_config files where the ciphers are listed but they are commented out. In fact, most of the lines in the files are commented out. I am struggling to find where it is actually getting its config from. I'll keep poking at it.

They are coming it out because it’s simply using default which is what should be coming it out on commenting those should have no change in your behavior. So you’ll end up modifying those lines and I’m commenting them to get the end that you desire.

Driving down the road the moment otherwise I would try to get you some screenshots

@jaredbusch I can see in the ssh_config and sshd_config files where the ciphers are listed but they are commented out. In fact, most of the lines in the files are commented out. I am struggling to find where it is actually getting its config from. I'll keep poking at it.

They are coming it out because it’s simply using default which is what should be coming it out on commenting those should have no change in your behavior. So you’ll end up modifying those lines and I’m commenting them to get the end that you desire.

Driving down the road the moment otherwise I would try to get you some screenshots

Siri was not nice to you!

translate for me thanks

I considered - but then I even realized I couldn't follow that dibble.

@jaredbusch I can see in the ssh_config and sshd_config files where the ciphers are listed but they are commented out. In fact, most of the lines in the files are commented out. I am struggling to find where it is actually getting its config from. I'll keep poking at it.

They are coming it out because it’s simply using default which is what should be coming it out on commenting those should have no change in your behavior. So you’ll end up modifying those lines and I’m commenting them to get the end that you desire.

Driving down the road the moment otherwise I would try to get you some screenshots

English Translation:

The lines are commented out because they are using the default settings. Uncomment those lines and then change them to work with the AES ciphers.

@scottalanmiller I am not connecting to the server. I just set it up and have no trouble connecting to it and moving files around for testing purposes. One of our vendors will connect to it and upload files. We will then go retrieve them. THEIR client software is not playing nice with the ciphers that are the default in Fedora. They as a company are always behind the curve on being up-to-date. They just need it to work. I've been reading for hours on end to make it compatible for them with no luck.

@scottalanmiller I am not connecting to the server. I just set it up and have no trouble connecting to it and moving files around for testing purposes. One of our vendors will connect to it and upload files. We will then go retrieve them. THEIR client software is not playing nice with the ciphers that are the default in Fedora. They as a company are always behind the curve on being up-to-date. They just need it to work. I've been reading for hours on end to make it compatible for them with no luck.

Right, I guess that's the question, if they can't keep their software secure, time to have a "come to Jesus" talk with them. This isn't a hard thing to do, the most incompetent IT department would still have current ciphers for their SSH. This implies that they are behind by decades and are laughing that you are still paying them when they aparently fired their IT staff in the 1990s.